Flaws in Java AMF Libraries Allow Remote Code Execution

Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.